Cisco Cisco Firepower Management Center 4000
32-30
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You can specify only one of
DCE/RPC
,
Endian
, or
Number Type
.
To define how the
byte_test
keyword calculates the bytes it tests, choose from the arguments in the
following table. If neither argument is specified, network byte order is used.
You can define how the system views string data in a packet by using one of the arguments in the
following table.
following table.
For example, if the value for
byte_test
is specified as the following:
•
Bytes = 4
•
Operator and Value > 128
•
Offset = 8
•
Relative enabled
Table 32-12
Additional Optional byte_test Arguments
Argument
Description
Relative
Makes the offset relative to the last successful pattern match.
Align
Rounds the number of converted bytes up to the next 32-bit boundary.
Table 32-13
Endianness byte_test Arguments
Argument
Description
Big Endian
Processes data in big endian byte order, which is the default network byte order.
Little
Endian
Endian
Processes data in little endian byte order.
DCE/RPC
Specifies a
byte_test
keyword for traffic processed by the DCE/RPC preprocessor. See
for more information.
The DCE/RPC preprocessor determines big endian or little endian byte order, and the
Number Type
and
Endian
argument do not apply.
When you enable this argument, you can also use
byte_test
in conjunction with other
specific DCE/RPC keywords. See
for more
information.
The DCE/RPC preprocessor must be enabled to allow processing of rules that include
this option. When the DCE/RPC preprocessor is disabled and you enable rules that use
this option, you are prompted whether to enable the preprocessor when you save the
policy. See
this option. When the DCE/RPC preprocessor is disabled and you enable rules that use
this option, you are prompted whether to enable the preprocessor when you save the
policy. See
.
Table 32-14
Number Type byte-test Arguments
Argument
Description
Hexadecimal String
Represents converted string data in hexadecimal format.
Decimal String
Represents converted string data in decimal format.
Octal String
Represents converted string data in octal format.